2. What is Metasploit?
• A collaboration between the open source community and
Rapid7, Metasploit software helps security and IT professionals
identify security issues, verify vulnerability mitigations, and
manage expert-driven security assessments, providing true
security risk intelligence.
• Capabilities include smart exploitation, password auditing, web
application scanning, and social engineering.
• Teams can collaborate in Metasploit and present their findings
in consolidated reports.
• Metasploit editions range from a free edition to professional
enterprise editions, all based on the Metasploit Framework, an
open source software development kit with the world's
largest, public collection of quality-assured exploits.
3. Metasploit is a hacking framework written in ruby. It is
designed to help make writing and executing exploits as
simple as possible.
4. History of the Metasploit Project
•MetasploitProject
–HD Moore & Friends
–A community-driven project since 2003
•Rapid7
–Maker of NeXposeVulnerability Management
–Purchase the Project from HD
•MetasploitFramework
–The original open-source exploit framework
5. Metasploit Versions
•1.0 released in 2003 (Perl)
•2.0 released in 2004 (Better Perl)
–2.7 released in late 2006
•3.0 released in 2007 (Ruby)
–3.2 released in late 2008
–3.3 released in late 2009
–3.4 released in early 2010
–3.4.1 is the most recent release
•Metasploitnow has 567 exploits and 283 auxiliary modules
(up from 551 and 261 in v3.4)
6. Metasploit Framework Overview
Open source tool Used for
Penetration testing
IDS Signature Development
Exploit Research
Consists of
Web server
Console
Signatures
7. Runs on any operating system
Source code for Linux/Unix/MacOS X
Portable to Windows via CYGWIN
Allows anyone to exploit & usually “root” certain machines
with only an IP address and a basic background of the system
Requires no knowledge of the software bug, or exploit
machine code
8.
9. Metasploit Framework Overview
Versions
Open source tool Used for
Penetration testing
IDS Signature Development
Exploit Research
Consists of
Web server
Console
Signatures
10. Penetration Testing Overview
Active evaluation of a system or network of systems
Assume the role of a black hat hacker or “bad guy”
Often uses the same tools as hackers
12. What is penetration testing? Penetration testing, often
called “pentesting”,“pen testing”, or “security testing”, is the
practice of attacking your own or your clients’ IT systems in
the same way a hacker would to identify security holes. Of
course, you do this without actually harming the network.
The person carrying out a penetration test is called a
penetration tester or pentester.
Let’s make one thing crystal clear: Penetration testing
requires that you get permission from the person who owns
the system. Otherwise, you would be hacking the
system, which is illegal in most countries – and trust me, you
don’t look good in an orange jump suit.
13. You can become a penetration tester at home by testing your
own server and later make a career out of it. At Rapid7, we
have a team of professionals that pentest government and
enterprise IT systems for a living. And let me tell you, they
enjoy their job!
To better understand penetration testing, you first need to
understand the basic security concepts of
vulnerabilities, exploits, and payloads.
14. What is a vulnerability?
• A vulnerability is a security hole in a piece of software, hardware or operating system
that provides a potential angle to attack the system. A vulnerability can be as simple as
weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.
• To test if you have any vulnerabilities in your systems, you typically use a vulnerability
management solution, also known as a vulnerability scanner or vulnerability assessment
solution. If you would like to get your hands on a free vulnerability scanner, try NeXpose
Community Edition, one of Metasploit’s sister projects.
• Vulnerability Scanning
• Vulnerability scanning will allow you to quickly scan a target IP range looking for known
vulnerabilities, giving a penetration tester a quick idea of what attacks might be worth
conducting. When used properly, this is a great asset to a pen tester, yet it is not without
it's draw backs. Vulnerability scanning is well known for a high false positive and false
negative rate. This has to be kept in mind when working with any vulnerability scanning
software.
• Lets look through some of the vulnerability scanning capabilities that the Metasploit
Framework can provide.
15. What is security research?
• Vulnerabilities are typically found by security researchers, which
is a posh term for smart people who like to find flaws in systems
and break them. At Rapid7, we have a team of vulnerability
researchers that do nothing else all day. Trust us, this can be a
lot of fun.
• Like penetration testing, security research can be used for good
and evil. Some countries don’t make the distinction and outlaw
security research completely, so make sure you check your
country’s legislation before you start researching and especially
before you publish any research.
16. What is an exploit?
• To take advantage of a vulnerability, you often need an exploit, a
small and highly specialized computer program whose only
reason of being is to take advantage of a specific vulnerability
and to provide access to a computer system. Exploits often
deliver a payload to the target system to grant the attacker access
to the system.
• The Metasploit Project host the world’s largest public database
of quality-assured exploits. Have a look at our exploit database –
it’s right here on the site.
• Even the name Metasploit comes from the term “exploit”.
Metasploit was the first software to provide a common
framework for a large selection of exploits. Think of it as an
abstraction layer (“Meta”) for exploits (abbreviated “sploits”).
Get it?
17. WARNINGS :
Metasploit is very powerful, and very dangerous
This is a briefing of a demo I did on my own
systems & network, not a “live” demo
I used VMWare to isolate the operating system
from other systems and the internet
Use of this an any unauthorized way will get you
fired/arrested/deported/smited by God, etc...
18. Installation
Installed on both Windows and Linux with same
results/ease of use
Uses a web server as interface
Signature updates downloaded automatically
Started the web server & logged in
25. Linux system - Port scan
Nmap reveals several things
Services – SSH, rpcbind, filesharing
Operating System – Linux, kernel version –
2.4.6 – 2.4.26, or 2.4.9, 2.6.5 – 2.6.11
Doesn’t tell us the distribution, but we can
guess
28. Demo
Filesharing (port 139) is running on a linux
machine
Assume samba is running
Choose “samba trans2open” from list of
exploits
29.
30.
31.
32.
33. What is a payload?
• A payload is the piece of software that lets you control a
computer system after it’s been exploited. The payload is
typically attached to and delivered by the exploit. Just imagine
an exploit that carries the payload in its backpack when it
breaks into the system and then leaves the backpack there.
Yes, it’s a corny description, but you get the picture.
• Metasploit’s most popular payload is called Meterpreter, which
enables you to do all sorts of funky stuff on the target system.
For example, you can upload and download files from the
system, take screenshots, and collect password hashes. You can
even take over the screen, mouse, and keyboard to fully control
the computer. If you’re feeling particularly bad-ass, you can even
turn on a laptop’s webcam and be a fly on the wall.
34.
35. Demo
Payloads
Add User
Bind – shell
Exec – execute one command
And many more
Chose “linux_ia32_bind”
36.
37.
38.
39.
40. Demo
I had little success with “check” option.
Most of the time, metasploit would say it
was not vulnerable, however, it was
Run Exploit
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55. Demo
Shell access opens up the doors to any other service
Steal passwords
Add/delete users
Alter/disrupt services
Download files
Change files
Change logs
Full access to any other privilege services on other
machines
56. Summary
Metasploit is very easy to use, and very powerful
Web interface allows the scans to be run from
any system, on any operating system
Evidence may or may not be left behind on the
system
IDS/IPS will sense these exploits
Only contains old & well known exploits